Cyber Defense eMagazine August Edition for 2021
Cyber Defense eMagazine August Edition for 2021 #CDM #CYBERDEFENSEMAG @CyberDefenseMag by @Miliefsky a world-renowned cyber security expert and the Publisher of Cyber Defense Magazine as part of the Cyber Defense Media Group as well as Yan Ross, US Editor-in-Chief, Pieruligi Paganini, Co-founder & International Editor-in-Chief, Stevin Miliefsky, President and many more writers, partners and supporters who make this an awesome publication! Thank you all and to our readers! OSINT ROCKS! #CDM #CDMG #OSINT #CYBERSECURITY #INFOSEC #BEST #PRACTICES #TIPS #TECHNIQUES
Cyber Defense eMagazine August Edition for 2021 #CDM #CYBERDEFENSEMAG @CyberDefenseMag by @Miliefsky a world-renowned cyber security expert and the Publisher of Cyber Defense Magazine as part of the Cyber Defense Media Group as well as Yan Ross, US Editor-in-Chief, Pieruligi Paganini, Co-founder & International Editor-in-Chief, Stevin Miliefsky, President and many more writers, partners and supporters who make this an awesome publication! Thank you all and to our readers! OSINT ROCKS! #CDM #CDMG #OSINT #CYBERSECURITY #INFOSEC #BEST #PRACTICES #TIPS #TECHNIQUES
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
When designing a product, you need to think beyond what you are building your product to do and<br />
consider any use cases you might not have considered. For example, consider a server plat<strong>for</strong>m that is<br />
embedded into an MRI machine in a hospital. A data center is a very different environment than a hospital<br />
basement. You have to think holistically about your product and think through the security implications of<br />
unintended use cases down the road. Hackers use this philosophy, using devices in completely<br />
unexpected ways to uncover potential vulnerabilities. It’s hard to imagine all the potential use cases <strong>for</strong><br />
a particular device (or how bad actors might attack it), so you need to proactively think of security in<br />
layers, and design in defense in depth so that no single exploit is likely to be successful.<br />
2. What’s the first thing that needs to happen when creating a new product?<br />
From an architecture standpoint, you have to think about how a device might come under attack. That<br />
could include hardware, firmware, OS, application, and connectivity types of attacks. Using a ‘design <strong>for</strong><br />
security’ mindset, you must think about all these security attack scenarios because the weakest link<br />
breaks the chain. For example, when thinking about making airplanes safe, designers build in<br />
redundancy, so a single failure isn’t likely to cause a crash. But they also consider passenger safety and<br />
how best to exit planes quickly. They have robust communications and procedures <strong>for</strong> what to do if<br />
communications are down and many, many other aspects that comprise a safer airplane trip. This same<br />
mindset exists in technology, with many security layers built into products from the beginning. An<br />
adversary will avoid heavily protected elements of a product and look <strong>for</strong> the easiest way to break the<br />
system.<br />
This means threat modeling needs to be one of the first things to happen when building a product. You<br />
can threat model everything from environmental factors and natural disasters to global geopolitics, or you<br />
can narrow it down to something like a network or access to a system. It’s about guarding against bad<br />
outcomes. Mature organizations often have teams of researchers dedicated to creating and evaluating<br />
threat models.<br />
3. How do you prioritize security when designing and developing a new product?<br />
Once you get into actual design and development, you want to be able to catch known security threats.<br />
That process is part of the Secure Development Lifecycle or SDL. SDL is a series of processes that<br />
implement security principles and privacy tenets into product development to help support engineers,<br />
developers, and researchers. These processes incorporate security-minded engineering and testing at<br />
the onset of product development when it’s more effective and efficient to employ. Not only does it include<br />
knowledge sharing, but also tools and services that, <strong>for</strong> example, allow someone to run checks against<br />
code. You can imagine the number of checks over time becomes massive, so you need a process that’s<br />
efficient and scales to help teams to better ensure they can catch security vulnerabilities.<br />
Automation plays a vital role here. This involves using tools that embed these checks and automate the<br />
process so designers can run a multitude of complex security checks with a click of a button. Our teams<br />
are constantly working to stay ahead of attackers by trying to find these issues and vulnerabilities be<strong>for</strong>e<br />
an attacker can exploit them. Beyond the SDL, other initiatives play a major role around security, including<br />
training, conferences, Product Security Incident Response Teams (or PSIRTs), bug bounty programs,<br />
offensive and defensive research, and industry collaboration.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>August</strong> <strong>2021</strong> <strong>Edition</strong> 34<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.